A vendor is attempting to map and preserve a network drive using nt authority/system; so it stays persistent when the interactive session of the server is lost. They were able to do this on one server (Windows 2008 R2) but not a second computer (also Windows 2008 R2).

I am unsure on how to set up a "machine account mapping" which will preserve the drive letter of the Netapp path being mapped, so that the service account running a Windows service can continue to access the share after interactive logon has expired on the server. Since they were able to do this on one server but not another, I'm not sure how to troubleshoot the problem? Any suggestions?

2 Answers
2

Is it possible that netapp1 is unable to verify if the computer account of the host you are using is actually belonging to the domain?

I do know nothing about the methods of NetApp's AD / authentication and authorization integration, but possible weak spots would be things like ACLs (machineaccount1 is allowed access while machineaccount2 is not), domain trusts (where the NetApp would be able to verify machineaccount1 belonging to domain1 but not machineaccount2 belonging to a trusted domain) or AD replication issues (if information needed to verify machineaccount2 is not present on the DC queried by the NetApp).

Edit: a similar question has been asked at NetApp's support forum in the meantime and it has a promising answer - a mismatch between the DNS registration for netapp1 and the actual address used for accessing it might cause Kerberos auth to fail, resulting in this error message. The thread also references NetApp's KB 2013374 which seems to include additional information but requires a valid logon to NetApp's support site to be viewed.

Could it be the the machine's AD account is not trusted for delegeation? This would result in the NT AUTHORITY\SYSTEM account not being able to act as the machine's AD account. You can check this in Active Directory on the second machine's object. Another issue might be missing Service Princicpal Names for the second machine. Try the following SETSPN -L <second_machine_name> and see what you get back. There should be at least an entry for HOST and one for RestrictedKrbHost would be nice.
–
hot2useMay 9 '14 at 6:53